commit 40472ae6f780136d749c88697d1ecf8ff9618b3f Author: meliurwen Date: Wed Oct 13 13:13:43 2021 +0200 Initial commit diff --git a/.env b/.env new file mode 100644 index 0000000..13d8130 --- /dev/null +++ b/.env @@ -0,0 +1,2 @@ +LOCAL_STACK_DIR=/srv/docker/volumes/dnscrypt-server + diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4c786c4 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +volumes/unbound/etc/unbound/var diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..02131f2 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,56 @@ +version: "3" + +services: + dnscrypt-server: + image: jedisct1/dnscrypt-server:latest + container_name: dnscrypt-server + restart: unless-stopped + expose: + - "8443/tcp" + ports: + - "8443:8443/udp" + networks: + - dnscrypt + volumes: + - ./encrypted-dns.toml.in:/opt/encrypted-dns/etc/encrypted-dns.toml.in:ro + - ${LOCAL_STACK_DIR}/dnscrypt-server/keys:/opt/encrypted-dns/etc/keys + - ${LOCAL_STACK_DIR}/dnscrypt-server/lists:/opt/encrypted-dns/etc/lists + command: "init -N dncr.eracolatore.tk -E 173.249.32.7:8443" + environment: + - TZ='Europe/Berlin' + + unbound: + image: mvance/unbound:latest + container_name: unbound + restart: unless-stopped + expose: + - "53/tcp" + - "53/udp" + networks: + - default + - dnscrypt + volumes: + - ./volumes/unbound/etc/unbound:/opt/unbound/etc/unbound + + dnscrypt-server-doh: + image: satishweb/doh-server:latest + container_name: dnscrypt-server-doh + environment: + - DEBUG=0 + - UPSTREAM_DNS_SERVER=udp:unbound:53 + - DOH_HTTP_PREFIX=/dns-query + - DOH_SERVER_LISTEN=0.0.0.0:8053 + - DOH_SERVER_TIMEOUT=10 + - DOH_SERVER_TRIES=3 + - DOH_SERVER_VERBOSE=true + - VIRTUAL_HOST=doh.dns.eracolatore.tk + - VIRTUAL_PORT=8053 + - LETSENCRYPT_HOST=doh.dns.eracolatore.tk + - LETSENCRYPT_EMAIL=meliurwen+letsencrypt@gmail.com + +networks: + default: + external: + name: ${NETWORK:-webservices} + dnscrypt: + diff --git a/encrypted-dns.toml.in b/encrypted-dns.toml.in new file mode 100644 index 0000000..531b66b --- /dev/null +++ b/encrypted-dns.toml.in @@ -0,0 +1,257 @@ +#################################################### +# # +# Encrypted DNS Server configuration # +# # +#################################################### + + + +################################## +# Global settings # +################################## + + +## IP addresses and ports to listen to, as well as their external IP +## If there is no NAT involved, `local` and `external` can be the same. +## As many addresses as needed can be configured here, IPv4 and/or IPv6. +## You should at least change the `external` IP address. + +### Example with both IPv4 and IPv6 addresses: +# listen_addrs = [ +# { local = "0.0.0.0:443", external = "198.51.100.1:443" }, +# { local = "[::]:443", external = "[2001:db8::1]:443" } +# ] + +listen_addrs = [ + @LISTEN_ADDRESSES@ +] + +## Upstream DNS server and port + +upstream_addr = "172.30.0.3:53" + + +## File name to save the state to + +state_file = "/opt/encrypted-dns/etc/keys/state/encrypted-dns.state" + + +## UDP timeout in seconds + +udp_timeout = 10 + + +## TCP timeout in seconds + +tcp_timeout = 10 + + +## Maximum active UDP sockets + +udp_max_active_connections = 1000 + + +## Maximum active TCP connections + +tcp_max_active_connections = 100 + + +## Optional IP address to connect to upstream servers from. +## Leave commented/undefined to automatically select it. + +# external_addr = "0.0.0.0" + + +## Built-in DNS cache capacity + +cache_capacity = 150000 + + +## DNS cache: minimum TTL + +cache_ttl_min = 3600 + + +## DNS cache: max TTL + +cache_ttl_max = 86400 + + +## DNS cache: error TTL + +cache_ttl_error = 600 + + +## DNS cache: to avoid bursts of traffic for popular queries when an +## RRSET expires, hold a TTL received from an upstream server for +## `client_ttl_holdon` seconds before decreasing it in client responses. + +client_ttl_holdon = 60 + + +## Run as a background process + +daemonize = false + + +## Log file + +# log_file = "/tmp/encrypted-dns.log" + + +## PID file + +# pid_file = "/tmp/encrypted-dns.pid" + + +## User name to drop privileges to, when started as root. + +user = "_encrypted-dns" + + +## Group name to drop privileges to, when started as root. + +group = "_encrypted-dns" + + +## Path to chroot() to, when started as root. +## The path to the state file is relative to the chroot base. + +# chroot = "/var/empty" + + +## Queries sent to that name will return the client IP address. +## This can be very useful for debugging, or to check that relaying works. + +# my_ip = "my.ip" + + +#################################### +# DNSCrypt settings # +#################################### + +[dnscrypt] + +## Provider name (with or without the `2.dnscrypt-cert.` prefix) + +provider_name = "@PROVIDER_NAME@" + + +## Does the server support DNSSEC? + +dnssec = true + + +## Does the server always returns correct answers (no filtering, including ad blocking)? + +no_filters = true + + +## Set to `true` if the server doesn't keep any information that can be used to identify users + +no_logs = true + + +## Key cache capacity, per certificate + +key_cache_capacity = 10000 + + + +############################### +# TLS settings # +############################### + +[tls] + +## Where to proxy TLS connections to (e.g. DoH server) + +# upstream_addr = "127.0.0.1:4343" + +@TLS_PROXY_CONFIGURATION@ + + + +####################################### +# Server-side filtering # +####################################### + +[filtering] + +## List of domains to block, one per line + +@DOMAIN_BLACKLIST_CONFIGURATION@ + + +## List of undelegated TLDs +## This is the list of nonexistent TLDs that queries are frequently observed for, +## but will never resolve to anything. The server will immediately return a +## synthesized NXDOMAIN response instead of hitting root servers. + +undelegated_list = "/opt/encrypted-dns/etc/undelegated.txt" + + +## Ignore A and AAAA queries for unqualified host names. + +ignore_unqualified_hostnames = true + + + +######################### +# Metrics # +######################### + +[metrics] + +type = "prometheus" +listen_addr = "@METRICS_ADDRESS@" +path = "/metrics" + + + +################################ +# Anonymized DNS # +################################ + +[anonymized_dns] + +# Enable relaying support for Anonymized DNS + +enabled = @ANONDNS_ENABLED@ + + +# Allowed upstream ports +# This is a list of commonly used ports for encrypted DNS services + +allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ] + + +# Allow all ports >= 1024 in addition to the list above + +allow_non_reserved_ports = false + + +# Blacklisted upstream IP addresses + +blacklisted_ips = [ @ANONDNS_BLACKLISTED_IPS@ ] + + + + +################################ +# Access control # +################################ + +[access_control] + +# Enable access control + +enabled = false + +# Only allow access to client queries including one of these random tokens +# Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as +# `query_meta = ["token:..."]` -- Replace ... with the token to use by the client. +# Example: `query_meta = ["token:Y2oHkDJNHz"]` + +tokens = ["IQdjF6Cqt2fZuVMF", "CUKJAloBTkTRm2aH", "ZlRuzSNoALoAvxyB"] + diff --git a/volumes/unbound/etc/unbound/a-records.conf b/volumes/unbound/etc/unbound/a-records.conf new file mode 100644 index 0000000..e69de29 diff --git a/volumes/unbound/etc/unbound/forward-records.conf b/volumes/unbound/etc/unbound/forward-records.conf new file mode 100644 index 0000000..e69de29 diff --git a/volumes/unbound/etc/unbound/srv-records.conf b/volumes/unbound/etc/unbound/srv-records.conf new file mode 100644 index 0000000..e69de29 diff --git a/volumes/unbound/etc/unbound/unbound.conf b/volumes/unbound/etc/unbound/unbound.conf new file mode 100644 index 0000000..c530514 --- /dev/null +++ b/volumes/unbound/etc/unbound/unbound.conf @@ -0,0 +1,313 @@ +server: +do-ip6: no + ########################################################################### + # BASIC SETTINGS + ########################################################################### + # Time to live maximum for RRsets and messages in the cache. If the maximum + # kicks in, responses to clients still get decrementing TTLs based on the + # original (larger) values. When the internal TTL expires, the cache item + # has expired. Can be set lower to force the resolver to query for data + # often, and not trust (very large) TTL values. + cache-max-ttl: 86400 + + # Time to live minimum for RRsets and messages in the cache. If the minimum + # kicks in, the data is cached for longer than the domain owner intended, + # and thus less queries are made to look up the data. Zero makes sure the + # data in the cache is as the domain owner intended, higher values, + # especially more than an hour or so, can lead to trouble as the data in + # the cache does not match up with the actual data any more. + cache-min-ttl: 300 + + # Set the working directory for the program. + directory: "/opt/unbound/etc/unbound" + + # RFC 6891. Number of bytes size to advertise as the EDNS reassembly buffer + # size. This is the value put into datagrams over UDP towards peers. + # The actual buffer size is determined by msg-buffer-size (both for TCP and + # UDP). Do not set higher than that value. + # Default is 1232 which is the DNS Flag Day 2020 recommendation. + # Setting to 512 bypasses even the most stringent path MTU problems, but + # is seen as extreme, since the amount of TCP fallback generated is + # excessive (probably also for this resolver, consider tuning the outgoing + # tcp number). + edns-buffer-size: 1232 + + # Listen to for queries from clients and answer from this network interface + # and port. + interface: 0.0.0.0@53 + + # Rotates RRSet order in response (the pseudo-random number is taken from + # the query ID, for speed and thread safety). + rrset-roundrobin: yes + + # Drop user privileges after binding the port. + username: "_unbound" + + ########################################################################### + # LOGGING + ########################################################################### + + # Do not print log lines to inform about local zone actions + log-local-actions: no + + # Do not print one line per query to the log + log-queries: yes + + # Do not print one line per reply to the log + log-replies: no + + # Do not print log lines that say why queries return SERVFAIL to clients + log-servfail: no + + # Further limit logging + #logfile: /dev/null + logfile: /var/unbound.log + + # Only log errors + verbosity: 0 + + ########################################################################### + # PRIVACY SETTINGS + ########################################################################### + + # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other + # denials, using information from previous NXDO-MAINs answers. In other + # words, use cached NSEC records to generate negative answers within a + # range and positive answers from wildcards. This increases performance, + # decreases latency and resource utilization on both authoritative and + # recursive servers, and increases privacy. Also, it may help increase + # resilience to certain DoS attacks in some circumstances. + aggressive-nsec: yes + + # Extra delay for timeouted UDP ports before they are closed, in msec. + # This prevents very delayed answer packets from the upstream (recursive) + # servers from bouncing against closed ports and setting off all sort of + # close-port counters, with eg. 1500 msec. When timeouts happen you need + # extra sockets, it checks the ID and remote IP of packets, and unwanted + # packets are added to the unwanted packet counter. + delay-close: 10000 + + # Prevent the unbound server from forking into the background as a daemon + do-daemonize: no + + # Add localhost to the do-not-query-address list. + do-not-query-localhost: no + + # Number of bytes size of the aggressive negative cache. + neg-cache-size: 4M + + # Send minimum amount of information to upstream servers to enhance + # privacy (best privacy). + qname-minimisation: yes + + ########################################################################### + # SECURITY SETTINGS + ########################################################################### + # Only give access to recursion clients from LAN IPs + access-control: 127.0.0.1/32 allow + access-control: 192.168.0.0/16 allow + access-control: 172.16.0.0/12 allow + access-control: 10.0.0.0/8 allow + # access-control: fc00::/7 allow + # access-control: ::1/128 allow + + # File with trust anchor for one zone, which is tracked with RFC5011 + # probes. + auto-trust-anchor-file: "var/root.key" + + # Enable chroot (i.e, change apparent root directory for the current + # running process and its children) + chroot: "/opt/unbound/etc/unbound" + + # Deny queries of type ANY with an empty response. + deny-any: yes + + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. + harden-algo-downgrade: yes + + # RFC 8020. returns nxdomain to queries for a name below another name that + # is already known to be nxdomain. + harden-below-nxdomain: yes + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the + # zone becomes bogus. If turned off you run the risk of a downgrade attack + # that disables security for a zone. + harden-dnssec-stripped: yes + + # Only trust glue if it is within the servers authority. + harden-glue: yes + + # Ignore very large queries. + harden-large-queries: yes + + # Perform additional queries for infrastructure data to harden the referral + # path. Validates the replies if trust anchors are configured and the zones + # are signed. This enforces DNSSEC validation on nameserver NS sets and the + # nameserver addresses that are encountered on the referral path to the + # answer. Experimental option. + harden-referral-path: no + + # Ignore very small EDNS buffer sizes from queries. + harden-short-bufsize: yes + + # Refuse id.server and hostname.bind queries + hide-identity: yes + + # Refuse version.server and version.bind queries + hide-version: yes + + # Report this identity rather than the hostname of the server. + identity: "DNS" + + # These private network addresses are not allowed to be returned for public + # internet names. Any occurrence of such addresses are removed from DNS + # answers. Additionally, the DNSSEC validator may mark the answers bogus. + # This protects against DNS Rebinding + private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + # private-address: fd00::/8 + # private-address: fe80::/10 + # private-address: ::ffff:0:0/96 + + # Enable ratelimiting of queries (per second) sent to nameserver for + # performing recursion. More queries are turned away with an error + # (servfail). This stops recursive floods (e.g., random query names), but + # not spoofed reflection floods. Cached responses are not rate limited by + # this setting. Experimental option. + ratelimit: 1000 + + # Use this certificate bundle for authenticating connections made to + # outside peers (e.g., auth-zone urls, DNS over TLS connections). + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + + # Set the total number of unwanted replies to eep track of in every thread. + # When it reaches the threshold, a defensive action of clearing the rrset + # and message caches is taken, hopefully flushing away any poison. + # Unbound suggests a value of 10 million. + unwanted-reply-threshold: 10000 + + # Use 0x20-encoded random bits in the query to foil spoof attempts. This + # perturbs the lowercase and uppercase of query names sent to authority + # servers and checks if the reply still has the correct casing. + # This feature is an experimental implementation of draft dns-0x20. + # Experimental option. + use-caps-for-id: yes + + # Help protect users that rely on this validator for authentication from + # potentially bad data in the additional section. Instruct the validator to + # remove data from the additional section of secure messages that are not + # signed properly. Messages that are insecure, bogus, indeterminate or + # unchecked are not affected. + val-clean-additional: yes + + ########################################################################### + # PERFORMANCE SETTINGS + ########################################################################### + # https://nlnetlabs.nl/documentation/unbound/howto-optimise/ + # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/ + + # Number of slabs in the infrastructure cache. Slabs reduce lock contention + # by threads. Must be set to a power of 2. + infra-cache-slabs: 2 + + # Number of incoming TCP buffers to allocate per thread. Default + # is 10. If set to 0, or if do-tcp is "no", no TCP queries from + # clients are accepted. For larger installations increasing this + # value is a good idea. + incoming-num-tcp: 10 + + # Number of slabs in the key cache. Slabs reduce lock contention by + # threads. Must be set to a power of 2. Setting (close) to the number + # of cpus is a reasonable guess. + key-cache-slabs: 2 + + # Number of bytes size of the message cache. + # Unbound recommendation is to Use roughly twice as much rrset cache memory + # as you use msg cache memory. + msg-cache-size: 165713237 + + # Number of slabs in the message cache. Slabs reduce lock contention by + # threads. Must be set to a power of 2. Setting (close) to the number of + # cpus is a reasonable guess. + msg-cache-slabs: 2 + + # The number of queries that every thread will service simultaneously. If + # more queries arrive that need servicing, and no queries can be jostled + # out (see jostle-timeout), then the queries are dropped. + # This is best set at half the number of the outgoing-range. + # This Unbound instance was compiled with libevent so it can efficiently + # use more than 1024 file descriptors. + num-queries-per-thread: 4096 + + # The number of threads to create to serve clients. + # This is set dynamically at run time to effectively use available CPUs + # resources + num-threads: 1 + + # Number of ports to open. This number of file descriptors can be opened + # per thread. + # This Unbound instance was compiled with libevent so it can efficiently + # use more than 1024 file descriptors. + outgoing-range: 8192 + + # Number of bytes size of the RRset cache. + # Use roughly twice as much rrset cache memory as msg cache memory + rrset-cache-size: 331426474 + + # Number of slabs in the RRset cache. Slabs reduce lock contention by + # threads. Must be set to a power of 2. + rrset-cache-slabs: 2 + + # Do no insert authority/additional sections into response messages when + # those sections are not required. This reduces response size + # significantly, and may avoid TCP fallback for some responses. This may + # cause a slight speedup. + minimal-responses: yes + + # # Fetch the DNSKEYs earlier in the validation process, when a DS record + # is encountered. This lowers the latency of requests at the expense of + # little more CPU usage. + prefetch: yes + + # Fetch the DNSKEYs earlier in the validation process, when a DS record is + # encountered. This lowers the latency of requests at the expense of little + # more CPU usage. + prefetch-key: yes + + # Have unbound attempt to serve old responses from cache with a TTL of 0 in + # the response without waiting for the actual resolution to finish. The + # actual resolution answer ends up in the cache later on. + serve-expired: yes + + # Open dedicated listening sockets for incoming queries for each thread and + # try to set the SO_REUSEPORT socket option on each socket. May distribute + # incoming queries to threads more evenly. + so-reuseport: yes + + ########################################################################### + # LOCAL ZONE + ########################################################################### + + # Include file for local-data and local-data-ptr + include: /opt/unbound/etc/unbound/a-records.conf + include: /opt/unbound/etc/unbound/srv-records.conf + + ########################################################################### + # FORWARD ZONE + ########################################################################### + + include: /opt/unbound/etc/unbound/forward-records.conf + +auth-zone: + name: "." + url: "https://www.internic.net/domain/root.zone" + fallback-enabled: yes + for-downstream: no + for-upstream: yes + zonefile: "var/root.zone" + +remote-control: + control-enable: no diff --git a/volumes/unbound/etc/unbound/unbound.pid b/volumes/unbound/etc/unbound/unbound.pid new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/volumes/unbound/etc/unbound/unbound.pid @@ -0,0 +1 @@ +1